CVE-2024-52965 — Missing Critical Step in Authentication in Fortinet Fortios

CWE-304 — Missing Critical Step in Authentication4 documents4 sources

Severity

7.2HIGHNVD

EPSS

0.0%

top 86.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortios Fortinet Fortiproxy

Timeline

PublishedJul 8

Description

A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.5, 7.2.0 through 7.2.10, and before 7.0.16 & FortiProxy version 7.6.0 through 7.6.1, 7.4.0 through 7.4.8, 7.2.0 through 7.2.13 and before 7.0.20 allows an API-user using api-key + PKI user certificate authentication to login even if the certificate is invalid.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶NVDfortinet/fortios7.0.1 — 7.0.17+4

▶NVDfortinet/fortiproxy7.0.0 — 7.0.21+3

▶CVEListV5fortinet/fortios7.6.0 — 7.6.1+3

▶CVEListV5fortinet/fortiproxy7.6.0 — 7.6.1+3

🔴Vulnerability Details

GHSA

GHSA-3jrw-g6mq-cx56: A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7↗2025-07-08

▶

CVEList

CVE-2024-52965: A missing critical step in authentication vulnerability [CWE-304] in Fortinet FortiOS version 7↗2025-07-08

▶

📋Vendor Advisories

Fortinet

PKI via API: Authentication granted with an invalid certificate↗2025-07-08

▶